Folstart

The Folstart family, also known as Rotinom, of worms poses a severe threat to an infected computer. Most Folstart variants spread using removable memory devices. Their main payload is causing changes to the infected computer's settings that pose a threat to the victim's privacy and to the infected computer's integrity. Although Folstart is programmed to disseminate from one PC to another, Folstart can be used to spread other malware as well as to spy on the victim's private information. ESG security researchers strongly advise removing Folstart variants immediately with a reliable anti-malware application.

Malware in the Folstart family will often refrain from causing overt symptoms. However, a Folstart infection can often be recognized because of telltale system changes associated with this family of malware. Folstart worms will typically install a fake Microsoft Updated executable file (with the EXE extension) in a folder named Rotinom, located in a directory created in the App Data folder. It will also create two directories on removable memory devices, typically named Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc and Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr. When installed, Folstart makes changes to the Windows Registry that allows Folstart to start automatically, hide its files from view and prevent the computer user from viewing the files in the Windows Explorer.

Most Folstart infections come from an infected USB drive. In fact, once installed, the Folstart worm will check for all USB devices connected to the infected computer. Then, Folstart makes copies of itself on all external memory devices Folstart detects. During its installation process, the criminals behind the Folstart worm use a clever tactic to ensure that the victim is tricked into opening Folstart's executable file. Folstart is installed with an icon that looks exactly like the Windows' folder icon, making it appear as if Folstart's executable is actually a folder on the infected drive. This fake 'directory' is named exactly like the external memory drive that has become compromised, making it likely that the drive's owner will open the Folstart worm's executable file mistaking it for the USB drive's main folder. To ensure that the victim does not detect this fake file for what it is, part of Folstart's installation process involved making changes to your computer's settings that prevent it from displaying file extensions, meaning that the EXE extension will not be displayed beside this fake folder's name.